Je ne connais pas de méthode “auto” en IPv4 (inet), la page de manuel ne la mentionne qu’en IPv6 (inet6). Il me semble que dans ton cas cela devrait être “static”. Aussi, il faudrait une ligne “auto enp0s7 enp0s8” et/ou “allow-hotplug enp0s7 enp0s8” pour configurer automatiquement les interfaces au démarrage.
En tout cas les addresses IP sont configurées sur les interfaces conformément au fichier.
enp0s7 192.168.1.30/24
enp0s8 10.0.0.30/24
Bonsoir,
-j’ai fait la modif en remplaçant auto par static,
-man interfaces
j’ai l’environnement ipv6, élaboré par tes conseils
root@alpha30:~# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp7s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp7s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 101 0 0 enp8s0
10.0.0.0 0.0.0.0 255.255.255.0 U 101 0 0 enp8s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp7s0
192.168.1.1 0.0.0.0 255.255.255.255 UH 101 0 0 enp8s0
root@alpha30:~# ip routes
Object "routes" is unknown, try "ip help".
root@alpha30:~# ip route
default via 192.168.1.1 dev enp7s0
default via 192.168.1.1 dev enp7s0 proto static metric 100
default via 192.168.1.1 dev enp8s0 proto static metric 101
10.0.0.0/24 dev enp8s0 proto kernel scope link src 10.0.0.30 metric 101
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp7s0 proto kernel scope link src 192.168.1.30 metric 100
192.168.1.1 dev enp8s0 proto static scope link metric 101
root@alpha30:~# le parefeu
root@alpha30:~# /home/jb1/res*
+ /sbin/ifconfig enp7s0 192.168.1.30
+ /sbin/ifconfig enp8s0 10.0.0.30
+ /sbin/route add default gw 192.168.1.1 dev enp7s0
+ /home/jb1/fw.sh restart
+ . /lib/lsb/init-functions
+ run-parts --lsbsysinit --list /lib/lsb/init-functions.d
+ [ -r /lib/lsb/init-functions.d/20-left-info-blocks ]
+ . /lib/lsb/init-functions.d/20-left-info-blocks
+ [ -r /lib/lsb/init-functions.d/40-systemd ]
+ . /lib/lsb/init-functions.d/40-systemd
+ _use_systemctl=0
+ [ -d /run/systemd/system ]
+ prog=fw.sh
+ service=fw.service
+ systemctl -p LoadState --value show fw.service
+ state=not-found
+ [ not-found = masked ]
+ [ 5215 -ne 1 ]
+ [ -z ]
+ readlink -f /home/jb1/fw.sh
+ [ 0 = 1 ]
+ FANCYTTY=
+ [ -e /etc/lsb-base-logging.sh ]
+ true
+ IPV6=1
+ TCP_SERVICES=80 443 3306 135 136 137 138 139 445 631 901 9100
+ UDP_SERVICES=80 443 3306 135 136 137 138 139 445 631 901
+ REMOTE_TCP_SERVICES=
+ REMOTE_UDP_SERVICES=
+ ISROUTERNAT=true
+ ethx=enp8s0
+ ethy=enp7s0
+ readonly IPTABLES=/sbin/iptables
+ readonly IP6TABLES=/sbin/ip6tables
+ [ -x /sbin/iptables ]
+ [ 1 -eq 1 ]
+ [ -x /sbin/ip6tables ]
+ log_daemon_msg Starting firewall..
+ [ -z Starting firewall.. ]
+ log_daemon_msg_pre Starting firewall..
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ [ xxterm != x ]
+ [ xxterm != xdumb ]
+ [ -x /usr/bin/tput ]
+ [ -x /usr/bin/expr ]
+ /usr/bin/tput hpa 60
+ /usr/bin/tput setaf 1
+ [ -z ]
+ FANCYTTY=1
+ true
+ echo -n [....]
[....] + [ -z ]
+ echo -n Starting firewall..:
Starting firewall..:+ return
+ fw_start
+ fw_clear
+ /sbin/iptables -t filter -F
+ /sbin/iptables -t nat -F
+ /sbin/iptables -t mangle -F
+ /sbin/iptables -t raw -F
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t raw -P OUTPUT ACCEPT
+ /sbin/iptables -t raw -P PREROUTING ACCEPT
+ /sbin/iptables -F
+ [ 1 -eq 1 ]
+ /sbin/ip6tables -t filter -F
+ /sbin/ip6tables -t nat -F
+ /sbin/ip6tables -t mangle -F
+ /sbin/ip6tables -t raw -F
+ /sbin/ip6tables -t filter -P INPUT ACCEPT
+ /sbin/ip6tables -t filter -P OUTPUT ACCEPT
+ /sbin/ip6tables -t filter -P FORWARD ACCEPT
+ /sbin/ip6tables -t nat -P PREROUTING ACCEPT
+ /sbin/ip6tables -t nat -P POSTROUTING ACCEPT
+ /sbin/ip6tables -t nat -P OUTPUT ACCEPT
+ /sbin/ip6tables -t mangle -P PREROUTING ACCEPT
+ /sbin/ip6tables -t mangle -P OUTPUT ACCEPT
+ /sbin/ip6tables -t mangle -P POSTROUTING ACCEPT
+ /sbin/ip6tables -t mangle -P FORWARD ACCEPT
+ /sbin/ip6tables -t mangle -P INPUT ACCEPT
+ /sbin/ip6tables -t raw -P OUTPUT ACCEPT
+ /sbin/ip6tables -t raw -P PREROUTING ACCEPT
+ /sbin/ip6tables -F
+ /sbin/iptables -t filter -P INPUT DROP
+ /sbin/iptables -t filter -P FORWARD DROP
+ /sbin/iptables -t filter -P OUTPUT DROP
+ /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
+ /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ [ -z ]
+ [ -z ]
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 135 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 136 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 137 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 138 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 631 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 901 -j ACCEPT
+ /sbin/iptables -A INPUT -p tcp --dport 9100 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 80 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 443 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 3306 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 135 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 136 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 139 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 445 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 631 -j ACCEPT
+ /sbin/iptables -A INPUT -p udp --dport 901 -j ACCEPT
+ true
+ /sbin/iptables -A INPUT -i enp8s0 -j ACCEPT
+ /sbin/iptables -A INPUT -p icmp -j ACCEPT
+ /sbin/iptables -A FORWARD -i enp7s0 -o enp8s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ /sbin/iptables -A FORWARD -o enp7s0 -j ACCEPT
+ /sbin/iptables -t nat -A POSTROUTING -o enp7s0 -j MASQUERADE
+ /sbin/iptables -t filter -A INPUT -j LOG --log-level=4
+ [ 1 -eq 1 ]
+ /sbin/ip6tables -t filter -P INPUT DROP
+ /sbin/ip6tables -t filter -P FORWARD DROP
+ /sbin/ip6tables -t filter -P OUTPUT DROP
+ /sbin/ip6tables -t filter -A INPUT -i lo -j ACCEPT
+ /sbin/ip6tables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/ip6tables -t filter -A INPUT -p icmp -j LOG
+ /sbin/ip6tables -t filter -A INPUT -p icmp -j DROP
+ [ -z ]
+ [ -z ]
+ /sbin/ip6tables -t filter -P OUTPUT ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 3306 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 135 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 136 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 137 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 138 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 139 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 445 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 631 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 901 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p tcp --dport 9100 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 80 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 443 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 3306 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 135 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 136 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 137 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 138 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 139 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 445 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 631 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p udp --dport 901 -j ACCEPT
+ true
+ /sbin/ip6tables -A INPUT -i enp8s0 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p icmp -j ACCEPT
+ /sbin/ip6tables -A FORWARD -i enp7s0 -o enp8s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ /sbin/ip6tables -A FORWARD -o enp7s0 -j ACCEPT
+ /sbin/ip6tables -t nat -A POSTROUTING -o enp7s0 -j MASQUERADE
+ /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
+ /sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
+ /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
+ /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
+ /sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+ /sbin/ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
+ /sbin/ip6tables -t filter -A INPUT -j LOG --log-level=4
+ log_end_msg 0
+ [ -z 0 ]
+ local retval
+ retval=0
+ log_end_msg_pre 0
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ [ xxterm != x ]
+ [ xxterm != xdumb ]
+ [ -x /usr/bin/tput ]
+ [ -x /usr/bin/expr ]
+ /usr/bin/tput hpa 60
+ /usr/bin/tput setaf 1
+ [ -z 1 ]
+ true
+ true
+ /usr/bin/tput setaf 1
+ RED=
+ /usr/bin/tput setaf 2
+ GREEN=
+ /usr/bin/tput setaf 3
+ YELLOW=
+ /usr/bin/tput op
+ NORMAL=
+ /usr/bin/tput civis
+ /usr/bin/tput sc
+ /usr/bin/tput hpa 0
+ [ 0 -eq 0 ]
+ /bin/echo -ne [ ok
[ ok + /usr/bin/tput rc
+ /usr/bin/tput cnorm
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ [ xxterm != x ]
+ [ xxterm != xdumb ]
+ [ -x /usr/bin/tput ]
+ [ -x /usr/bin/expr ]
+ /usr/bin/tput hpa 60
+ /usr/bin/tput setaf 1
+ [ -z 1 ]
+ true
+ true
+ /usr/bin/tput setaf 1
+ RED=
+ /usr/bin/tput setaf 3
+ YELLOW=
+ /usr/bin/tput op
+ NORMAL=
+ [ 0 -eq 0 ]
+ echo .
.
+ log_end_msg_post 0
+ :
+ return 0
+ exit 0
+ /sbin/ifconfig -a
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:9a:16:d4:6a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp7s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.30 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 2a01:cb0c:837e:fb00:b040:a738:2fb0:269d prefixlen 64 scopeid 0x0<global>
inet6 fe80::5e8d:1952:cf2d:59bd prefixlen 64 scopeid 0x20<link>
ether 1c:6f:65:3d:35:16 txqueuelen 1000 (Ethernet)
RX packets 1001 bytes 263451 (257.2 KiB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 751 bytes 183970 (179.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp8s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.30 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::a1bb:8076:c73f:b646 prefixlen 64 scopeid 0x20<link>
ether 00:0c:76:ae:b5:56 txqueuelen 1000 (Ethernet)
RX packets 3 bytes 276 (276.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 200 bytes 48148 (47.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Boucle locale)
RX packets 2936 bytes 310873 (303.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2936 bytes 310873 (303.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
+ /sbin/route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp7s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp7s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 101 0 0 enp8s0
10.0.0.0 0.0.0.0 255.255.255.0 U 101 0 0 enp8s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp7s0
192.168.1.1 0.0.0.0 255.255.255.255 UH 101 0 0 enp8s0
+ ip -6 addr add 2a01:cb0c:835f:2400::/56 dev enp7s0
+ ip -f inet6 ro add default via 2a01:cb0c:835f:2400::1 dev enp7s0
+ ip6tables -I INPUT -p icmpv6 --icmpv6-type 133/0 -j ACCEPT
+ ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
+ ip6tables -A INPUT -s fe80::/64 -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
+ ip6tables -A OUTPUT -d 2a01:cb0c:835f:2400::/56 -p icmpv6 --icmpv6-type 133/0 -j ACCEPT
root@alpha30:~# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp7s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp7s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 101 0 0 enp8s0
10.0.0.0 0.0.0.0 255.255.255.0 U 101 0 0 enp8s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp7s0
192.168.1.1 0.0.0.0 255.255.255.255 UH 101 0 0 enp8s0
root@alpha30:~# ip routes
Object "routes" is unknown, try "ip help".
root@alpha30:~# ip route
default via 192.168.1.1 dev enp7s0
default via 192.168.1.1 dev enp7s0 proto static metric 100
default via 192.168.1.1 dev enp8s0 proto static metric 101
10.0.0.0/24 dev enp8s0 proto kernel scope link src 10.0.0.30 metric 101
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp7s0 proto kernel scope link src 192.168.1.30 metric 100
192.168.1.1 dev enp8s0 proto static scope link metric 101
C’est quoi tout ça ?
Bonsoir,
je devrais avoir un peu cela:
^C
root@alpha30:~# man route
root@alpha30:~# route del -host 192.168.1.1
root@alpha30:~# route del -net 0.0.0.0
root@alpha30:~# route del -net 0.0.0.0
root@alpha30:~# route del -net 0.0.0.0
root@alpha30:~# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 101 0 0 enp8s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp7s0
root@alpha30:~# route add default gw 192.168.1.1 dev enp7s0
root@alpha30:~# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp7s0
10.0.0.0 0.0.0.0 255.255.255.0 U 101 0 0 enp8s0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp7s0
root@alpha30:~# le parefeu:
root@alpha30:/home/jb1# more fw.sh
#!/bin/sh
set -x
### BEGIN INIT INFO
# Provides: mon_parefeu
# Required-Start: $local_fs
# Should-Start:
# Required-Stop: $local_fs
# Should-Stop:
# X-Start-Before: $network
# X-Stop-After: $network
# Default-Start: S
# Default-Stop: 0 6
# Short-description: Configure le parefeu
# Description: Met en place les règles iptables.
### END INIT INFO
#------------------------Explications----------------------------------#
#
# Défauts :
# - Cette configuration s'applique à toutes les interfaces réseau.
# Si vous voulez restreindre cela à une interface donnée,
# utilisez '-i INTERFACE' dans la variables $IPTABLES.
#
# - Par défaut, le script autorise tout en sortie.
# Pour changer ce comportement veuillez indiquer les numéros
# de port en question dans les variables
# $REMOTE_TCP_SERVICES
# et/ou $REMOTE_UDP_SERVICES
#
# - Pour configurer une machine routeur,
# changez la valeur de la variable
# ISROUTERNAT à true, ainsi que
# les interfaces ethx et ethy selon votre configuration
# ethx correspond à l'interface du LAN
# ethy correspond à l'interface reliée à la truc-box
#
# description: Active/Désactive le pare-feu au démarrage
#
#----------------------------------------------------------------------#
. /lib/lsb/init-functions
#------------------------VARIABLES-------------------------------------#
# Mettre à 1 si vous utilisez IPV6 :
IPV6=1
# Services que le système offrira au réseau, à séparer avec des espaces
# ftp : 21, ssh : 22, serveur web : 80, cups : 631, jabber : 5222
TCP_SERVICES="80 443 3306 135 136 137 138 139 445 631 901 9100 "
UDP_SERVICES="80 443 3306 135 136 137 138 139 445 631 901"
# Services que le système utilisera du réseau
# (défaut : autorise tout en sortie)
REMOTE_TCP_SERVICES=""
REMOTE_UDP_SERVICES=""
# Pour une machine faisant office de routeur avec NAT,
# changer la valeur de la variable ISROUTERNAT à true.
ISROUTERNAT=true
# ethx correspond à l'interface du LAN
root@alpha30:/home/jb1# cat fw.sh
#!/bin/sh
set -x
### BEGIN INIT INFO
# Provides: mon_parefeu
# Required-Start: $local_fs
# Should-Start:
# Required-Stop: $local_fs
# Should-Stop:
# X-Start-Before: $network
# X-Stop-After: $network
# Default-Start: S
# Default-Stop: 0 6
# Short-description: Configure le parefeu
# Description: Met en place les règles iptables.
### END INIT INFO
#------------------------Explications----------------------------------#
#
# Défauts :
# - Cette configuration s'applique à toutes les interfaces réseau.
# Si vous voulez restreindre cela à une interface donnée,
# utilisez '-i INTERFACE' dans la variables $IPTABLES.
#
# - Par défaut, le script autorise tout en sortie.
# Pour changer ce comportement veuillez indiquer les numéros
# de port en question dans les variables
# $REMOTE_TCP_SERVICES
# et/ou $REMOTE_UDP_SERVICES
#
# - Pour configurer une machine routeur,
# changez la valeur de la variable
# ISROUTERNAT à true, ainsi que
# les interfaces ethx et ethy selon votre configuration
# ethx correspond à l'interface du LAN
# ethy correspond à l'interface reliée à la truc-box
#
# description: Active/Désactive le pare-feu au démarrage
#
#----------------------------------------------------------------------#
. /lib/lsb/init-functions
#------------------------VARIABLES-------------------------------------#
# Mettre à 1 si vous utilisez IPV6 :
IPV6=1
# Services que le système offrira au réseau, à séparer avec des espaces
# ftp : 21, ssh : 22, serveur web : 80, cups : 631, jabber : 5222
TCP_SERVICES="80 443 3306 135 136 137 138 139 445 631 901 9100 "
UDP_SERVICES="80 443 3306 135 136 137 138 139 445 631 901"
# Services que le système utilisera du réseau
# (défaut : autorise tout en sortie)
REMOTE_TCP_SERVICES=""
REMOTE_UDP_SERVICES=""
# Pour une machine faisant office de routeur avec NAT,
# changer la valeur de la variable ISROUTERNAT à true.
ISROUTERNAT=true
# ethx correspond à l'interface du LAN
# ethy correspond à l'interface reliée à la truc-box
ethx="enp8s0"
ethy="enp7s0"
# Chemins vers iptables
readonly IPTABLES=/sbin/iptables
readonly IP6TABLES=/sbin/ip6tables
#----------------------------------------------------------------------#
if ! [ -x $IPTABLES ]; then
exit 0
fi
if [ $IPV6 -eq 1 ]; then
if ! [ -x $IP6TABLES ]; then
exit 0
fi
fi
#----------------------------FONCTIONS---------------------------------#
fw_start () {
# Vidage
fw_clear
# Parefeu - Suppression des règles
# Interdictions
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT DROP
# Parefeu - interdictions générales établies
# Loopback
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
# Trafic d'entrée :
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Refus du ping pour éviter de répondre aux scans des éventuels vilains
# $IPTABLES -t filter -A INPUT -p icmp -j LOG
# $IPTABLES -t filter -A INPUT -p icmp -j DROP
# Sortie autorisée, si aucun port autorisé en sortie n'est défini
if [ -z "$REMOTE_TCP_SERVICES"] && [ -z "$REMOTE_UDP_SERVICES" ]; then
$IPTABLES -t filter -P OUTPUT ACCEPT
fi
# Services à autoriser en entrée
for PORT in $TCP_SERVICES; do
$IPTABLES -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
for PORT in $UDP_SERVICES; do
$IPTABLES -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
# Services à autoriser en sortie
for PORT in $REMOTE_TCP_SERVICES; do
$IPTABLES -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
for PORT in $REMOTE_UDP_SERVICES; do
$IPTABLES -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
# Parefeu - Mise en place des règles
if $ISROUTERNAT ; then
$IPTABLES -A INPUT -i $ethx -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A FORWARD -i $ethy -o $ethx -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $ethy -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $ethy -j MASQUERADE
# Parefeu - Routeur avec NAT
fi
# Toutes les autres connexions sont enregistrées dans syslog
$IPTABLES -t filter -A INPUT -j LOG --log-level=4
# Configuration IPV6
if [ $IPV6 -eq 1 ]; then
# Interdictions
$IP6TABLES -t filter -P INPUT DROP
$IP6TABLES -t filter -P FORWARD DROP
$IP6TABLES -t filter -P OUTPUT DROP
# Loopback
$IP6TABLES -t filter -A INPUT -i lo -j ACCEPT
# Trafic d'entrée :
$IP6TABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Refus du ping pour éviter de répondre aux scans des éventuels vilains
$IP6TABLES -t filter -A INPUT -p icmp -j LOG
$IP6TABLES -t filter -A INPUT -p icmp -j DROP
# Sortie autorisée, si aucun port autorisé en sortie n'est défini
if [ -z "$REMOTE_TCP_SERVICES"] && [ -z "$REMOTE_UDP_SERVICES" ]; then
$IP6TABLES -t filter -P OUTPUT ACCEPT
fi
# Services à autoriser en entrée
for PORT in $TCP_SERVICES; do
$IP6TABLES -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
for PORT in $UDP_SERVICES; do
$IP6TABLES -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
# Services à autoriser en sortie
for PORT in $REMOTE_TCP_SERVICES; do
$IP6TABLES -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
for PORT in $REMOTE_UDP_SERVICES; do
$IP6TABLES -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
# Parefeu - Mise en place des règles
if $ISROUTERNAT ; then
$IP6TABLES -A INPUT -i $ethx -j ACCEPT
$IP6TABLES -A INPUT -p icmp -j ACCEPT
$IP6TABLES -A FORWARD -i $ethy -o $ethx -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -o $ethy -j ACCEPT
$IP6TABLES -t nat -A POSTROUTING -o $ethy -j MASQUERADE
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
fi
# Pour toute interface de type broadcast
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Toutes les autres connexions sont enregistrées dans syslog
$IP6TABLES -t filter -A INPUT -j LOG --log-level=4
fi
}
fw_stop () {
#$IPTABLES -F
#$IPTABLES -t nat -F
#$IPTABLES -t mangle -F
#$IPTABLES -P INPUT DROP
#$IPTABLES -P FORWARD DROP
#$IPTABLES -P OUTPUT ACCEPT
iptables-save > /etc/firewall
}
fw_clear () {
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t raw -F
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t raw -P OUTPUT ACCEPT
$IPTABLES -t raw -P PREROUTING ACCEPT
$IPTABLES -F
if [ $IPV6 -eq 1 ]; then
$IP6TABLES -t filter -F
$IP6TABLES -t nat -F
$IP6TABLES -t mangle -F
$IP6TABLES -t raw -F
$IP6TABLES -t filter -P INPUT ACCEPT
$IP6TABLES -t filter -P OUTPUT ACCEPT
$IP6TABLES -t filter -P FORWARD ACCEPT
$IP6TABLES -t nat -P PREROUTING ACCEPT
$IP6TABLES -t nat -P POSTROUTING ACCEPT
$IP6TABLES -t nat -P OUTPUT ACCEPT
$IP6TABLES -t mangle -P PREROUTING ACCEPT
$IP6TABLES -t mangle -P OUTPUT ACCEPT
$IP6TABLES -t mangle -P POSTROUTING ACCEPT
$IP6TABLES -t mangle -P FORWARD ACCEPT
$IP6TABLES -t mangle -P INPUT ACCEPT
$IP6TABLES -t raw -P OUTPUT ACCEPT
$IP6TABLES -t raw -P PREROUTING ACCEPT
$IP6TABLES -F
fi
}
fw_status () {
$IPTABLES -L --line-numbers
if [ $IPV6 -eq 1 ]; then
$IP6TABLES -L --line-numbers
fi
}
#----------------------------------------------------------------------#
case "$1" in
start|restart)
log_daemon_msg "Starting firewall.."
fw_start
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping firewall.."
fw_stop
log_end_msg $?
;;
clean)
log_daemon_msg "Clearing firewall rules.."
fw_clear
log_end_msg $?
;;
status)
log_daemon_msg "Firewall status"
fw_status
;;
*)
log_action_msg "Usage $0 {start|stop|restart|clean|status}"
exit 1
;;
esac
exit 0
root@alpha30:/home/jb1# exit 0
root@alpha30:/home/jb1# cat res*
#!/bin/sh
set -x
/sbin/ifconfig enp7s0 192.168.1.30
/sbin/ifconfig enp8s0 10.0.0.30
/sbin/route add default gw 192.168.1.1 dev enp7s0
/home/jb1/fw.sh restart
/sbin/ifconfig -a
/sbin/route -n
ip -6 addr add 2a01:cb0c:835f:2400::/56 dev enp7s0
ip -f inet6 ro add default via 2a01:cb0c:835f:2400::1 dev enp7s0
ip6tables -I INPUT -p icmpv6 --icmpv6-type 133/0 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
ip6tables -A INPUT -s fe80::/64 -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
ip6tables -A OUTPUT -d 2a01:cb0c:835f:2400::/56 -p icmpv6 --icmpv6-type 133/0 -j ACCEPT
root@alpha30:/home/jb1# pour le parefeu, je lance res*
Visiblement il y a d’autres choses que /etc/network/interfaces qui configurent les interfaces.
Est-ce que tu pourrais, pour tester, démarrer la machine
et vérifier la configuration des interfaces avec
ip addr
ip routeBonjour,
oui mais demain matin,
c’est la journéé de la Femme
et en plus son anniversaire,
du monde à table,
excuse moi, bonne aprés midi
j’ai noté les commandes
Bonjour,
jb1@alpha30:~$ su -
Mot de passe :
root@alpha30:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 1c:6f:65:3d:35:16 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.30/24 brd 10.0.0.255 scope global noprefixroute enp7s0
valid_lft forever preferred_lft forever
inet6 2a01:cb0c:837e:fb00:146b:f244:b076:3842/64 scope global dynamic noprefixroute
valid_lft 1755sec preferred_lft 555sec
inet6 fe80::dcdd:641f:1eae:9dc4/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:76:ae:b5:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.30/24 brd 192.168.1.255 scope global noprefixroute enp8s0
valid_lft forever preferred_lft forever
inet6 fe80::532e:d086:5b48:d0d6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:1b:c2:26:1a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
root@alpha30:~# ip route
default via 192.168.1.1 dev enp7s0 proto static metric 100
default via 192.168.1.1 dev enp8s0 proto static metric 101
10.0.0.0/24 dev enp7s0 proto kernel scope link src 10.0.0.30 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp8s0 proto kernel scope link src 192.168.1.30 metric 101
192.168.1.1 dev enp7s0 proto static scope link metric 100
root@alpha30:~# Cette fois on voit enfin l’inversion dont tu parlais entre ce qui est défini dans /etc/network/interfaces et les adresses effectivement configurées sur les interfaces. Mais j’avais demandé de débrancher les câbles réseau pour éliminer toute influence externe, or le drapeau LOWER_UP indique que la liaison est active.
En revanche les routes anormales restent présentes.
Dans la chasse à quelque chose d’autre qui appliquerait une configuration inverse, y a-t-il des fichiers dans /etc/network/interfaces.d/* ?
Je propose de ne plus définir les interfaces enp* en auto ni allow-hotplug, redémarrer, toujours sans exécuter les scripts supplémentaires et sans câbles réseau, et revérifier les adresses et les routes.
bonjour,
-environnent interfaces doivent être en dhcp?
si oui les clients de la passerelle ne retrouveront plus 10.0.0.30
-2 cables débranchés:
jb1@alpha30:~$ su -
Mot de passe :
root@alpha30:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 1c:6f:65:3d:35:16 brd ff:ff:ff:ff:ff:ff
3: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:76:ae:b5:56 brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:13:64:d9:0f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
root@alpha30:~# ip route
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
root@alpha30:~# ifconfig -a
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:13:64:d9:0f txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp7s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 1c:6f:65:3d:35:16 txqueuelen 1000 (Ethernet)jb1@alpha30:~$ su -
Mot de passe :
root@alpha30:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 1c:6f:65:3d:35:16 brd ff:ff:ff:ff:ff:ff
3: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:76:ae:b5:56 brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:13:64:d9:0f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
root@alpha30:~# ip route
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
root@alpha30:~# ifconfig -a
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:13:64:d9:0f txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp7s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 1c:6f:65:3d:35:16 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp8s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:76:ae:b5:56 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Boucle locale)
RX packets 3444 bytes 366512 (357.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3444 bytes 366512 (357.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@alpha30:~# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
root@alpha30:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)jb1@alpha30:~$ su -
Mot de passe :
root@alpha30:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 1c:6f:65:3d:35:16 brd ff:ff:ff:ff:ff:ff
3: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:76:ae:b5:56 brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:13:64:d9:0f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
root@alpha30:~# ip route
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
root@alpha30:~# ifconfig -a
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:13:64:d9:0f txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp7s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 1c:6f:65:3d:35:16 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp8s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:76:ae:b5:56 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Boucle locale)
RX packets 3444 bytes 366512 (357.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3444 bytes 366512 (357.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@alpha30:~# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
root@alpha30:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@alpha30:~#
target prot opt source destination
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@alpha30:~#
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp8s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:76:ae:b5:56 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Boucle locale)
RX packets 3444 bytes 366512 (357.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3444 bytes 366512 (357.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@alpha30:~# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
root@alpha30:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@alpha30:~# STP, mets un peu d’ordre dans tes résultats : tu as copié plusieurs fois les mêmes commandes, et parfois de façon entrecoupée. Et ne mets que ce que j’ai demandé comme iptables. Je n’ai pas besoin de voir à la fois les sorties d’ip addr et ifconfig qui fournissent à peu près les mêmes informations.
Je ne comprends pas la question. Peux-tu développer ?
Je vois cela : NO-CARRIER
Par contre les interfaces sont activées : UP. Les directives auto et allow-hotplug pour les interfaces en* ont été supprimées ou commentées dans /etc/network/interfaces{,.d/*} ? Si oui, il y a quelque chose d’autre qui les a activées.
A ce stade, peux-tu fournir la sortie complète de
cat /etc/network/interfaces{,.d/*}
Puis des commandes suivantes, toujours sans brancher les câbles :
ifup -v enp7s0
ip addr
ip route
ifup -v enp8s0
ip addr
ip routebonsoir,
une partie des commandes 2 cables branchés
ainsi que le fichier /etc/default/networking
root@alpha30:/etc/network# cd in*d
root@alpha30:/etc/network/interfaces.d# ls -l
total 0
root@alpha30:/etc/network/interfaces.d# ifup -v enp7s0
ifup: unknown interface enp7s0
root@alpha30:/etc/network/interfaces.d# ifconfig -a
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:31:2a:5d:44 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp7s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.30 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 2a01:cb0c:837e:fb00:b040:a738:2fb0:269d prefixlen 64 scopeid 0x0<global>
inet6 fe80::5e8d:1952:cf2d:59bd prefixlen 64 scopeid 0x20<link>
ether 1c:6f:65:3d:35:16 txqueuelen 1000 (Ethernet)
RX packets 632889 bytes 631051187 (601.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 385633 bytes 44258350 (42.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp8s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.30 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::a1bb:8076:c73f:b646 prefixlen 64 scopeid 0x20<link>
ether 00:0c:76:ae:b5:56 txqueuelen 1000 (Ethernet)
RX packets 14099 bytes 2388380 (2.2 MiB)
RX errors 0 dropped 16 overruns 0 frame 0
TX packets 17526 bytes 13209447 (12.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Boucle locale)
RX packets 970827 bytes 105794249 (100.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 970827 bytes 105794249 (100.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@alpha30:/etc/network/interfaces.d# ifup -v enp7s0
ifup: unknown interface enp7s0
root@alpha30:/etc/network/interfaces.d# ifup -v enp8s0
ifup: unknown interface enp8s0
root@alpha30:/etc/network/interfaces.d# cd /etc/default
root@alpha30:/etc/default# ls -l
total 260
-rw-r--r-- 1 root root 290 déc. 28 2014 anacron
-rw-r--r-- 1 root root 556 janv. 25 2017 apache-htcacheclean
-rw-r--r-- 1 root root 3459 sept. 23 21:26 asterisk
-rw-r--r-- 1 root root 1514 déc. 2 12:46 aufs
-rw-r--r-- 1 root root 219 janv. 23 2017 avahi-daemon
-rw-r--r-- 1 root root 845 oct. 24 2016 bluetooth
-rw-r--r-- 1 root root 125 juil. 2 2017 bridge-utils
-rw-r--r-- 1 root root 222 oct. 25 2016 bsdmainutils
-rw------- 1 root root 384 nov. 7 2016 cacerts
-rw-r--r-- 1 root root 285 mars 1 17:42 console-setup
-rw-r--r-- 1 root root 252 déc. 18 2016 corosync
-rw-r--r-- 1 root root 85 déc. 18 2016 corosync-notifyd
-rw-r--r-- 1 root root 264 déc. 19 2016 corosync-qdevice
-rw-r--r-- 1 root root 618 déc. 19 2016 corosync-qnetd
-rw-r--r-- 1 root root 549 août 23 2014 crda
-rw-r--r-- 1 root root 955 mai 14 2015 cron
-rw-r--r-- 1 root root 297 nov. 28 2016 dbus
-rw-r--r-- 1 root root 654 juin 23 2017 docker
-rw-r--r-- 1 root root 1227 mai 25 2016 ebtables
-rw-r--r-- 1 root root 105 janv. 1 12:26 gdomap
-rw-r--r-- 1 root root 1205 mars 10 06:59 grub
drwxr-xr-x 2 root root 4096 mars 11 10:08 grub.d
-rw-r--r-- 1 root root 1205 févr. 24 10:15 grub.ucf-old
-rw-r--r-- 1 root root 1226 mars 1 17:43 hddtemp
-rw-r--r-- 1 root root 657 nov. 8 2016 hwclock
-rw-r--r-- 1 root root 198 juin 1 2014 ipmievd
-rw-r--r-- 1 root root 931 mars 1 17:42 irqbalance
-rw-r--r-- 1 root root 2775 déc. 3 23:49 jenkins
-rw-r--r-- 1 root root 4564 févr. 6 15:53 kdump-tools
-rw-r--r-- 1 root root 4667 juin 21 2017 kdump-tools.ucf-old
-rw-r--r-- 1 root root 342 mars 1 17:43 kexec
drwxr-xr-x 2 root root 4096 janv. 25 2017 kexec.d
-rw-r--r-- 1 root root 156 mars 1 17:32 keyboard
-rw-r--r-- 1 root root 472 sept. 8 2017 libvirtd
-rw-r--r-- 1 root root 2287 févr. 8 19:29 libvirt-guests
-rw-r--r-- 1 root root 54 févr. 12 2017 locale
-rw-r--r-- 1 root root 730 août 27 2017 minidlna
-rw-r--r-- 1 root root 580 févr. 1 17:54 minissdpd
-rw-r--r-- 1 root root 1190 janv. 24 2017 mysql
-rw-r--r-- 1 root root 1032 juil. 22 2017 networking
-rw-r--r-- 1 root root 793 déc. 15 2016 nfs-common
-rw-r--r-- 1 root root 632 déc. 15 2016 nfs-kernel-server
-rw-r--r-- 1 root root 1756 déc. 4 2016 nss
-rw-r--r-- 1 root root 15 mai 7 2017 ntp
-rw-r--r-- 1 root root 529 mai 7 2017 ntpdate
-rw-r--r-- 1 root root 2691 juin 18 2017 open-iscsi
-rw-r--r-- 1 root root 1184 juin 30 2015 openvpn
-rw-r--r-- 1 root root 6885 nov. 6 15:02 pacemaker
-rw-r--r-- 1 root root 291 août 23 2017 portsentry
---------- 1 root root 0 févr. 12 2017 rcS
-rw-r--r-- 1 root root 382 janv. 1 2017 rdnssd
-rw-r--r-- 1 root root 2062 déc. 30 2015 rsync
-rw-r--r-- 1 root root 124 janv. 18 2017 rsyslog
-rw-r--r-- 1 root root 209 mai 31 2017 saned
-rw-r--r-- 1 root root 1164 juin 30 2015 snort
-rw-r--r-- 1 root root 132 janv. 10 2017 speech-dispatcher
-rw-r--r-- 1 root root 133 janv. 16 2017 ssh
-rw-r--r-- 1 root root 1958 juil. 6 2017 tomcat7
-rw-r--r-- 1 root root 1911 juil. 6 2017 tomcat8
-rw-r--r-- 1 root root 2623 mars 4 2017 tor
-rw-r--r-- 1 root root 1118 janv. 6 2017 useradd
-rw-r--r-- 1 root root 53 oct. 16 22:48 virtlogd
-rw-r--r-- 1 root root 359 mai 22 2016 wicd
root@alpha30:/etc/default# pg netw*
# Configuration for networking init script being run during
# the boot sequence
# Set to 'no' to skip interfaces configuration on boot
#CONFIGURE_INTERFACES=yes
# Don't configure these interfaces. Shell wildcards supported/
#EXCLUDE_INTERFACES=
# Set to 'yes' to enable additional verbosity
#VERBOSE=no
# Method to wait for the network to become online,
# for services that depend on a working network:
# - ifup: wait for ifup to have configured an interface.
# - route: wait for a route to a given address to appear.
# - ping/ping6: wait for a host to respond to ping packets.
# - none: don't wait.
#WAIT_ONLINE_METHOD=ifup
# Which interface to wait for.
# If none given, wait for all auto interfaces, or if there are none,
# wait for at least one hotplug interface.
#WAIT_ONLINE_IFACE=
# Which address to wait for for route, ping and ping6 methods.
# If none is given for route, it waits for a default gateway.
#WAIT_ONLINE_ADDRESS=
# Timeout in seconds for waiting for the network to come online.
#WAIT_ONLINE_TIMEOUT=300
root@alpha30:/etc/default# root@alpha30:/etc/default# pg netw*
-su: root@alpha30:/etc/default#: Aucun fichier ou dossier de ce type
root@alpha30:/etc/default# # Configuration for networking init script being run during
root@alpha30:/etc/default# # the boot sequence
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Set to 'no' to skip interfaces configuration on boot
root@alpha30:/etc/default# #CONFIGURE_INTERFACES=yes
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Don't configure these interfaces. Shell wildcards supported/
root@alpha30:/etc/default# #EXCLUDE_INTERFACES=
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Set to 'yes' to enable additional verbosity
root@alpha30:/etc/default# #VERBOSE=no
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Method to wait for the network to become online,
root@alpha30:/etc/default# # for services that depend on a working network:
root@alpha30:/etc/default# # - ifup: wait for ifup to have configured an interface.
root@alpha30:/etc/default# # - route: wait for a route to a given address to appear.
root@alpha30:/etc/default# # - ping/ping6: wait for a host to respond to ping packets.
root@alpha30:/etc/default# # - none: don't wait.
root@alpha30:/etc/default# #WAIT_ONLINE_METHOD=ifup
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Which interface to wait for.
root@alpha30:/etc/default# # If none given, wait for all auto interfaces, or if there are none,
root@alpha30:/etc/default# # wait for at least one hotplug interface.
root@alpha30:/etc/default# #WAIT_ONLINE_IFACE=
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Which address to wait for for route, ping and ping6 methods.
root@alpha30:/etc/default# # If none is given for route, it waits for a default gateway.
root@alpha30:/etc/default# #WAIT_ONLINE_ADDRESS=
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Timeout in seconds for waiting for the network to come online.
root@alpha30:/etc/default# #WAIT_ONLINE_TIMEOUT=300
root@alpha30:/etc/default# root@alpha30:/etc/default#
-su: root@alpha30:/etc/default#: Aucun fichier ou dossier de ce type
root@alpha30:/etc/default# root@alpha30:/etc/default# pg netw*
-su: root@alpha30:/etc/default#: Aucun fichier ou dossier de ce type
root@alpha30:/etc/default# # Configuration for networking init script being run during
root@alpha30:/etc/default# # the boot sequence
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Set to 'no' to skip interfaces configuration on boot
root@alpha30:/etc/default# #CONFIGURE_INTERFACES=yes
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Don't configure these interfaces. Shell wildcards supported/
root@alpha30:/etc/default# #EXCLUDE_INTERFACES=
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Set to 'yes' to enable additional verbosity
root@alpha30:/etc/default# #VERBOSE=no
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Method to wait for the network to become online,
root@alpha30:/etc/default# # for services that depend on a working network:
root@alpha30:/etc/default# # - ifup: wait for ifup to have configured an interface.
root@alpha30:/etc/default# # - route: wait for a route to a given address to appear.
root@alpha30:/etc/default# # - ping/ping6: wait for a host to respond to ping packets.
root@alpha30:/etc/default# # - none: don't wait.
root@alpha30:/etc/default# #WAIT_ONLINE_METHOD=ifup
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Which interface to wait for.
root@alpha30:/etc/default# # If none given, wait for all auto interfaces, or if there are none,
root@alpha30:/etc/default# # wait for at least one hotplug interface.
root@alpha30:/etc/default# #WAIT_ONLINE_IFACE=
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Which address to wait for for route, ping and ping6 methods.
root@alpha30:/etc/default# # If none is given for route, it waits for a default gateway.
root@alpha30:/etc/default# #WAIT_ONLINE_ADDRESS=
root@alpha30:/etc/default#
root@alpha30:/etc/default# # Timeout in seconds for waiting for the network to come online.
root@alpha30:/etc/default# #WAIT_ONLINE_TIMEOUT=300
root@alpha30:/etc/default# root@alpha30:/etc/default#
-su: root@alpha30:/etc/default#: Aucun fichier ou dossier de ce type
root@alpha30:/etc/default# excuse je crois qu’il y a eu un reebond
Ce n’est pas ce que j’ai demandé.
Pour avoir une chance de comprendre ce qui se passe j’ai besoin que tu fasses tout ce que j’ai demandé, et seulement ce que j’ai demandé.
Bonjour,
OK ce matin
JB
jb1@alpha30:~$ su -
Mot de passe :
root@alpha30:~# wireshark
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
root@alpha30:~# cat /etc/network/interfaces{,.D/*}
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
iface enp0s7 inet static
address 192.168.1.30
netmask 255.255.255.0
gateway 192.168.1.1
#dns-domain example.com
dns-nameservers 193.252.19.3
iface enp0s8 inet static
address 10.0.0.30
netmask 255.255.255.0
# gateway 192.168.1.1
#dns-domain example.com
# dns-nameservers 193.252.19.3
cat: '/etc/network/interfaces.D/*': Aucun fichier ou dossier de ce type
root@alpha30:~# ifup -v enp7s0
ifup: unknown interface enp7s0
root@alpha30:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 1c:6f:65:3d:35:16 brd ff:ff:ff:ff:ff:ff
3: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:76:ae:b5:56 brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ce:eb:a8:19 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
root@alpha30:~# ip route
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
root@alpha30:~#
root@alpha30:~# ifup -v enp8s0
ifup: unknown interface enp8s0
root@alpha30:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 1c:6f:65:3d:35:16 brd ff:ff:ff:ff:ff:ff
3: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:76:ae:b5:56 brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ce:eb:a8:19 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
root@alpha30:~# ip route
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
root@alpha30:~# ^C
root@alpha30:~# .d, pas .D
Je viens de réaliser que les noms des interfaces enp0s7 et enp0s8 dans le fichier /etc/network/interfaces sont incorrects : il y a une inversion entre le 0 et le 7 ou le 8 depuis le début… Il faut mettre enp7s0 et enp8s0.
Bonsoir,
je reboote demain matin
merci pour me montrer la poutre que j’ai dans mon oeil
A+
JB
Je ne l’avais pas remarqué non plus jusqu’à maintenant.
merci pour le coup de main,
c’est pour cela que je préfere ethX au lieu de enpXs0,
en plus c’est plus court à saisir